Getting Information Security Training Right
December 17, 2008
Anybody who has talked to me in the past few years knows that one of the things that I’m most passionate about is evolving one’s career. Whether it’s the work I do with career coaching, my talks and research with Lee Kushner on infosec careers, or just my blog posts here, it’s a favorite topic of mine.
The topic of certifications go hand in hand with career management – in fact, when Lee and I talk, one of our slides lists “What certification should I get?” as our “least favorite question“. Because we get it every time we talk to anybody.
One of the other things I’ve been doing of late is teaching classes to help people become more effective penetration testers. Penetration testing is where I started my career, and I really enjoy helping people learn those skills and develop that part of their capabilities. So, for the first few months after I left Neohapsis, I was working with one of the more well-known training organizations, and I expected to be able to make a difference.
Unfortunately, my expectations were underwhelmed. Where the organization promised “deluxe acommodations” for their students, we were booked at the Quality Inn. Where they promised “cutting-edge techniques”, they got information and exercises that were 5 years old.
Anybody who has worked with me knows I’m a bit of a stickler for doing right by my clients. And this wasn’t right. And I was frustrated because, despite my emails to the leadership of the organization, I was seeing no improvement.
So, I was sharing this frustration with my associates over at Foreground Security (who also run The Hacker Academy. And they agreed with me. But they did it one better: they challenged me. Dave and Aaron said:
“Can you do better?”
When I told them I could, they threw down the gauntlet.
“Give it a shot. What would it need?”
After a few conversations, we came up with a few different things. First and foremost, the curriculum needs to be up to date. No more teaching stuff that is five years old and calling it “state of the art”. Exercises should be consistent with what Foreground’s team of pen-testers are seeing on real engagements on a daily basis. If tools/exploits/techniques stop being relevant, then we teach their replacements.
Second: the curriculum needs to be KEPT up to date. And so do the students. And the students need access to a quarterly update of all the things that are new. No more of the “get ‘em out the door” way of doing things – let’s ensure that every student who goes through this class is given access to continuing information that will let them stay current.
Third: Let’s give them real facilities with solid, repeatable technology and processes. And it shouldn’t matter whether they take a class from us in Orlando, DC, San Francisco or Switzerland, the experience should be the same.
And, finally: Instructors should be trained to give the same material in the same way each time.
In short, we’ll run it like a business. And we’ll treat our students the way that they deserve to be treated.
Well, Dave and Aaron liked that so much that they told me to go for it. And they put out a press release about it. Our first class with the new curriculum I’m designing is going to be in mid-January, in Orlando. Because, really… who wants to be anywhere but Florida in January?